When setting up an FTP server, security is always the first priority, especially for FTP servers established using tools such as IIS. If the setting is improper and a malicious attack occurs, it is not alarmist to cause the entire server system to collapse! Therefore, it is necessary to adopt reasonable and comprehensive security management.
Let’s start with the security of IIS.
IIS, starting from the NT system kernel, has become its own important information release carrier, but its inevitable vulnerabilities are also mentioned in many materials. IIS is used to set up an FTP server. Its simple and easy-to-understand settings have won the favor of many people. Therefore, to make good use of IIS, we must consider its security issues from the following aspects:
1. Install system patches. The Microsoft website often releases the latest system security patches on its official website, and you can update them at any time using the Windows Update program that comes with the system.
2. FTP directory settings. It is more common to assign the home directory to a logical disk, then set different access permissions for each sub-directory according to different users, and close some unnecessary services. This can prevent unscrupulous people from using IIS overflow vulnerabilities to access the system disk. a first level of protection.
3. Try not to use the default port number 21, and enable logging so that you can check when the FTP service is abnormal.
Another FTP setup software Serv_U.
The software interface is shown in the figure below. I feel that this software does a better job in terms of security, and its settings are not error-prone. After using it for a while, I feel that its speed is much faster than IIS. Even so, attention should also be paid to its correct configuration:
1. Regarding server password settings in the domain.
Serv_U provides three security password types: rule password, OTPS/KEY MD4 and OTPS/KEY MD5. It goes without saying that the rule password has the lowest security. Generally, after we set up an account with administrative rights, we open the "Password Type" drop-down box under the "General" tab, and it is relatively safer to choose the latter two types.
[Cut-Page]
2. Check "Block FTP_bounce attacks and FXP". FXP is also called cross-server attack. Simply put:
When a malicious user adds specific address information to the PORT command, it will cause the FTP server to establish a connection with other non-client machines. If the FTP server has the right to access those non-client computers, it can use the "intermediary" of the FTP server. Organization" to achieve connection with the target server!
3. Like IIS, it is best to move the home directory to other partitions. At the same time, when setting permissions for users, it is best to set them low first, and then set write, modify, etc. permissions when needed; and save the service logs in the form of files. , for future reference.
After talking about setting up software, let’s talk about the operating system itself.
Considering the security of the FTP server, it is best to use Win2000 server version, winxp or Windows2003 enterprise version, and pay attention to downloading security patches and upgrades at any time.
1. You can use the system's built-in "Internet Connection Firewall" function to perform security settings. Open the "Local Area Connection" properties dialog box, enter the "Advanced" tab, check "Protect my computer and network by restricting or blocking access to this computer from the Internet"; then click the "Settings" button in the lower right corner Enter "Advanced Settings", select "FTP Server" and click Edit. As shown in the figure, except for the IP address column, the other options cannot be changed. If the FTP server port you set in advance is not its default 21, please go back to the previous step and click "Add" under the "Service" tab, enter the server name and IP address, and fill in the external internal port number with your default value That’s it.
2. "TCP/IP filtering" function. Go to "Local Area Connection" --- "General" --- "Internet Protocol (TCP/IP)", then double-click to open, then click the "Advanced" button, switch to "Options" to start the settings. As shown in the figure below, here we can set the system to only allow open ports. This filtering setting can effectively prevent the most common intrusions such as port 139. However, the shortcomings of this method are also obvious: the function is too simple and only allowed open ports can be set. , you cannot customize the ports to be closed. If you need to open multiple ports, you have to add them manually one by one, which is more troublesome.
Server security is a topic that can never be finished. The key is for everyone to sum up experience and accumulate experience in actual management. After passing the above basic management settings, your FTP should have a certain degree of security and can be put into use with confidence!
2. Check "Block FTP_bounce attacks and FXP". FXP is also called cross-server attack. Simply put:
When a malicious user adds specific address information to the PORT command, it will cause the FTP server to establish a connection with other non-client machines. If the FTP server has the right to access those non-client computers, it can use the "intermediary" of the FTP server. Organization" to achieve connection with the target server!
3. Like IIS, it is best to move the home directory to other partitions. At the same time, when setting permissions for users, it is best to set them low first, and then set write, modify, etc. permissions when needed; and save the service logs in the form of files. , for future reference.
After talking about setting up software, let’s talk about the operating system itself.
Considering the security of the FTP server, it is best to use Win2000 server version, winxp or Windows2003 enterprise version, and pay attention to downloading security patches and upgrades at any time.
1. You can use the system's built-in "Internet Connection Firewall" function to perform security settings. Open the "Local Area Connection" properties dialog box, enter the "Advanced" tab, check "Protect my computer and network by restricting or blocking access to this computer from the Internet"; then click the "Settings" button in the lower right corner Enter "Advanced Settings", select "FTP Server" and click Edit. As shown in the figure, except for the IP address column, the other options cannot be changed. If the FTP server port you set in advance is not its default 21, please go back to the previous step and click "Add" under the "Service" tab, enter the server name and IP address, and fill in the external internal port number with your default value That’s it.
2. "TCP/IP filtering" function. Go to "Local Area Connection" --- "General" --- "Internet Protocol (TCP/IP)", then double-click to open, then click the "Advanced" button, switch to "Options" to start the settings. As shown in the figure below, here we can set the system to only allow open ports. This filtering setting can effectively prevent the most common intrusions such as port 139. However, the shortcomings of this method are also obvious: the function is too simple and only allowed open ports can be set. , you cannot customize the ports to be closed. If you need to open multiple ports, you have to add them manually one by one, which is more troublesome.
Server security is a topic that can never be finished. The key is for everyone to sum up experience and accumulate experience in actual management. After passing the above basic management settings, your FTP should have a certain degree of security and can be put into use with confidence!